Configuring the NAM

How you configure the NAM on your switch depends on whether you are using Cisco IOS software or the Catalyst operating system software. Several NAM configuration tasks are common to both switch operating systems.

Configuring Traffic Sources for Capturing NAM Traffic

The WS-SVC-NAM-1 platform provides a single destination port for one SPAN session or one VACL session.

The WS-SVC-NAM-2 platform provides two possible destination ports for VACL and SPAN sessions. The destination ports for use by the SPAN GUI are named data port 1 and data port 2 by default. For the CLI SPAN port names, see Table 1-2 on page 1-3.

VACL and SPAN cannot be applied to the same port simultaneously. Table 3-1 shows the SPAN and VACL port configurations that are supported on the NAM.

Cisco IOS Software

You can capture traffic for NAM monitoring from a single VLAN or from multiple VLANs. If you want to monitor traffic from specific VLANs only, you need to clear the VLANs that you do not want to monitor from the capture feature.

Using SPAN as a Traffic Source

You can configure SPAN as a traffic source using both the CLI and the NAM Traffic Analyzer application.

The NAM can analyze Ethernet traffic from Ethernet, Fast Ethernet, Gigabit Ethernet, trunk port, or Fast EtherChannel SPAN source ports. You can also specify an Ethernet VLAN as the SPAN source.

For more information on SPAN, see the Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide at this URL:

Filters the SPAN session so that only certain VLANs are seen from switch port trunks.

Router # show monitor session {session_number}

Shows current monitor sessions.

This example shows how to enable SPAN on the NAM:

Router# showmonitor

Session 1

---------

Source Ports:

RX Only: None

TX Only: None

Both: None

Source VLANs:

RX Only: None

TX Only: None

Both: None

Destination Ports:None

Filter VLANs: None

Session 2

---------

Source Ports:

RX Only: None

TX Only: None

Both: None

Source VLANs:

RX Only: None

TX Only: None

Both: None

Destination Ports:None

Filter VLANs: None

Router# configureterminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)# monitorsession1sourcevlan1both

Note If you are using the switch CLI to configure SPAN as a traffic source to NAM-1, the SPAN destination port for NAM-1 is data-port 1. The SPAN destination ports for NAM-2 are data-port 1 and data-port 2.

Using a VACL as a Traffic Source

This section describes how to configure a VACL for a switch running Cisco IOS Release 12.1(13)E1 or later releases. To configure a LAN VACL on the Catalyst operating system, you can use the security ACL feature to achieve the same result. For more information, see the "Operating-System-Independent Configuration" procedure.

Note Due to an IOS limitation (IOS VACL capture function ignores traffic sourced from the 7600 routers), egress traffic from some modules (such as firewalls and IDE modules) might not be captured at the NAM dataport. Check the module's documentation for this limitation.

Configuring a VACL on a WAN Interface

Because WAN interfaces do not support SPAN if you want to monitor traffic on a WAN interface using a NAM, you need to manually configure a VACL on the switch using the switch CLI. This feature only works for IP traffic over the WAN interface. You can apply additional filtering rules to target specific data flows.

In addition, you can use a VACL if there are no available SPAN sessions to direct traffic to the NAM. In this scenario, you can set up a VACL instead of SPAN for monitoring VLAN traffic.

The following examples describe the steps to configure a VACL for a switch running Cisco IOS Release 12.1(13)E1 or higher. To configure a LAN VACL on a switch running the Catalyst operating system, use the ACL feature to achieve the same result.

This example shows how to configure a VACL on an ATM WAN interface and forward both ingress and egress traffic to the NAM:

For monitoring ingress traffic, you should replace VLAN 1017 in the previous capture configuration with the VLAN ID that carries the ingress traffic. For example, this configuration allows the NAM to monitor only ingress traffic on a WAN interface:

Cat6509(config)# analysis module 3 data-port 1 capture allowed-vlan 1

Configuring a VACL on a LAN VLAN Interface

To monitor VLAN traffic on the LAN, you can forward the traffic to the NAM by using SPAN. However, in some rare circumstances, if the spanned traffic exceeds the NAM's monitoring capability, you can prefilter the LAN traffic before it is forwarded to the NAM.

This example shows how to configure a VACL for the LAN VLAN interfaces. In this example, all traffic that is directed to the server 172.20.122.226 on VLAN 1 is captured and forwarded to the NAM that is located in slot 3:

Cat6500# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Cat6500(config)# access-list 100 permit ip any any

Cat6500(config)# access-list 110 permit ip any host 172.20.122.226

Cat6500(config)# vlan access-map lan 100

Cat6500(config-access-map)# match ip address 110

Cat6500(config-access-map)# action forward capture

Cat6500(config-access-map)# exit

Cat6500(config)# vlan access-map lan 200

Cat6500(config-access-map)# match ip address 100

Cat6500(config-access-map)# action forward

Cat6500(config-access-map)# exit

Cat6500(config)# vlan filter lan vlan-list 1

Cat6500(config)# analysis module 3 data-port 1 capture allowed-vlan 1

Cat6500(config)# analysis module 3 data-port 1 capture

Cat6500(config)# exit

Using NetFlow Data Export as a Traffic Source

NDE makes traffic statistics available for analysis by an external data collector. You can use NDE to monitor all Layer 3-switched and all routed IP unicast traffic. To use NDE as a traffic source for the NAM, enable the NetFlow Monitor option to allow the NAM to receive the NDE stream. The statistics are presented on reserved ifIndex.3000.

Configuring NDE for a NetFlow device so that it exports NDE packets to the NAM is platform specific and version specific to the sending device. See the device NDE configuration guidelines for more information.

NDE Configuration

To configure NDE for the Cisco IOS software for both local and remote NDE devices, follow these steps:

Step 1 Configure NDE as follows:

Router# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)# interface type slot/port

Step 2 Enable NetFlow for the interface.

Router(config)# ip route-cache flow

Step 3 Export the routed flow cache entries to the NAM UDP port 3000.

Router(config)# ip flow-export destination NAM-address 3000

Note The UDP port number must be set at 3000.

When you configure a NAM module as an NDE collector, you should use the IP address of the NAM (set up by sessioning into the NAM module).

This example shows how to set up a basic NDE configuration:

Router# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)# interface vlan 2

Router(config)# ip route-cache flow

Router(config)# ip flow-export destination 172.20.104.74 3000

Router(config)# exit

NDE Configuration from MLS Cache

To configure NDE from the PFC (multilayer switching cache), follow these steps:

Step 1 Enter configuration mode.

Router# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Step 2 Select the version of NDE.

Router(config)# mls nde sender version version-number

Note NAM supports NDE version 1, 5, 6, 7, 8, 9, and version 8 aggregation caches. See the Cisco IOS documentation for NDE versions that are supported by the switch software to determine which NDE versions are available to the NAM.

Step 3 Select the NDE flow mask.

Router(config)# mls flow ip [interface-full | full]

Note Use the full keyword to include additional details of the collection data in the flow mask.

Step 4 Enable NetFlow export.

Router(config)# mls nde sender

Step 5 Export NetFlow packets to the NAM UDP port 3000.

Router(config)# ip flow-export destination NAM-Address 3000

This example shows how to set up an NDE configuration from the Multilayer Switch Feature Card (MSFC):

Router# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)# mls nde sender version 5

Router(config)# mls flow ipfull

Router(config)# mls nde sender

Router(config)# ip route-cache flow

Router(config)# ip flow-export destination 172.20.104.74 3000

Router# show ip cache flow

Router# show ip flow export

For more information on configuring NDE on the Policy Feature Card (PFC), see this URL:

NDE Configuration for Version 8 Aggregation

Note Although the NAM supports NDE aggregation, the information that you receive for a specified aggregation type is limited to that aggregation, and other NDE details are not available. To receive more information about your NDE configuration, use the full flow mode.

If the NetFlow device supports NDE version 8 aggregations, flows from one or more of the version 8 aggregation caches may be exported to the NAM. To export flows from the aggregation caches, perform these steps:

This example shows how to set up an NDE version 8 aggregation configuration:

Router(config)# ip flow-aggregation cache prefix

Router(config-flow-cache)# enable

Router(config-flow-cache)# export destination 172.20.104.74 3000

Router(config-flow-cache)# exit

Router(config)# show ip cache flow-aggregation prefix

Catalyst Operating System Software

You can capture traffic for NAM monitoring from a single VLAN or from multiple VLANs. If you want to monitor traffic from specific VLANs only, you need to clear the VLANs that you do not want to monitor from the capture feature.

Using SPAN as a Traffic Source

You can configure Remote SPAN (SPAN) as a traffic source using both the NAM Traffic Analyzer application and the switch CLI. We recommend that you use NAM Traffic Analyzer.

For more information about SPAN and RSPAN, see the "Configuring SPAN, RSPAN, and the Mini Protocol Analyzer" chapter in the Catalyst 6500 Series Switch Software Configuration Guide.

You can use RSPAN traffic as a SPAN source for the NAM. Verify that the SPAN source is set to the same VLAN ID that is used for RSPAN. The SPAN destination should be set to nam_module/port.

Note If you are using the switch CLI to configure SPAN as a traffic source to NAM-1, set the destination port to 3. If you are configuring SPAN as a traffic source to NAM-2, set the SPAN port to destination port 7. Destination port 8 is not available in this NAM release although switch and hardware support is available.

Note You cannot use NAM ports as SPAN source ports.

The NAM can analyze Ethernet traffic from Ethernet, Fast Ethernet, Gigabit Ethernet, trunk ports, or Fast EtherChannel SPAN source ports. You also can specify an Ethernet VLAN as the SPAN source.

For more information on configuring SPAN and RSPAN, see the Catalyst 6500 Series Switch Software Configuration Guide.

This example shows how to set SPAN VLAN 1 to a NAM-2 that is located in slot 5:

Console> (enable) set span 1 5/7

Using a LAN VACL as a Traffic Source

Unlike WAN VACLs, which can be used to capture inbound or outbound VLAN packets, Catalyst operating system VACLs can only be used to capture VLAN packets as they are initially routed or bridged into the VLAN on the switch.

This example shows how to create a VACL that captures all the IP packets that are bridged or routed into VLAN 1 on the switch to the NAM-1 data port 6/3:

Using NetFlow Data Export as a Traffic Source

To use NetFlow Data Export (NDE) as a traffic source for the NAM, you must enable the NetFlow Monitor option to allow the NAM to receive the NDE stream. For a local switch, the statistics are presented on reserved ifIndex.3000 as in previous NAM releases. The remote switch uses ifIndex.50000 and greater.

You need to configure the Multilayer Switch Function Card (MSFC) to use NetFlow. For more information, see the Catalyst 6500 Series Switch Software Configuration Guide.

Note There are no CLI commands for creating NetFlow custom data sources. To create a NetFlow custom data source, you must use the NAM Traffic Analyzer GUI.

NDE Configuration

To enable the NetFlow Monitor for the Catalyst operating system:

Step 1 Select the NDE version using a command like the following:

set mls nde version nde-version-number

The NAM supports NDE versions 1, 5, 6, 7, 8, 9, and version 8 aggregation caches. See the Cisco IOS documentation for NDE versions supported by the switch software to determine which NDE versions are available to the NAM.

Step 2 Set the NDE flow mask to full.

set mls flow full

Although the NAM supports NDE aggregation, the information you receive for a specified aggregation type is limited to that aggregation and other NDE details are not available. To receive more information about your NDE configuration, use the full flow mode.

Step 3 Direct NDE packets to the NAM with commands like the following:

set snmp extendedrmon netflow [enable | disable] mod

set mls nde NAM-address 3000

Step 4 Enable NDE packets to the NAM.

set mls nde enable

Step 5 Ensure that the device exports if-index.

set mls nde destination-ifindex enable

set mls nde source-ifindex enable

Use this step to break out NetFlow data by interface and direction at the NAM.

Step 6 Verify NDE export. On the local drive use a command like the following:

show snmp and show mls nde

Step 7 On the remote drive use a command like the following:

show mls nde

The following example shows how to enable the NetFlow Monitor option and verify that it is enabled:

Console> (enable) set snmp extendedrmon netflow enable2

Snmp extended RMON netflow enabled

Console> (enable) show snmp

RMON: Enabled

Extended RMON NetFlow Enabled : Module 2

Traps Enabled:

None

Port Traps Enabled: None

Community-Access Community-String

---------------- --------------------

read-only public

read-write private

read-write-all secret

Trap-Rec-Address Trap-Rec-Community

---------------------------------------- --------------------

<...output truncated...>

Note If a NAM is installed, you do not need to specify an external data collector with the set mls nde collector_ip [udp_port_number] command as described in the Catalyst 6500 Series Software Configuration Guide. Ignore any messages that indicate that the host and port are not set.

Exporting NDE From Bridged Flow Statistics

If the switch supports exporting NDE from bridged-flow statistics, you can use bridged-flow statistics to export NDE to the NAM.

To configure bridged-flow statistics export for NDE:

Step 1 Enable bridged-flow statistics on the VLANs.

set mls bridged-flow-statistics enable vlan-list

Step 2 Export NDE packets to UDP port 3000 of the NAM.

set mls nde NAM-address 3000

Operating-System-Independent Configuration

These sections describe the NAM configurations that are not dependent on the switch operating system:

Configuring the HTTP or HTTP Secure Server

Before you can access the NAM through a web browser (HTTP or HTTPS), you must enable the NAM Traffic Analyzer application from the NAM CLI. For HTTP, use the ip http server enable command. For HTTPS, use the ip http secure server enable command. You also can optionally configure the HTTP (or HTTPS) servers to run on a different TCP port from the default.

Note You can use the HTTP server or the HTTP secure server, but not both.

Note The ip http secure commands are all disabled by default, and you must first download and install the NAM strong crypto patch from http://www.Cisco.com before you can enable them.

Configuring the HTTP Server

To configure the HTTP server parameters for the NAM, follow these steps:

Configuring the HTTP Secure Server

The ip http secure commands are all disabled by default, and you must enable the HTTP secure server by installing a strong crypto patch. If you prefer to use SSH instead of Telnet, you also must install a strong crypto patch.

To install a strong crypto patch, follow these steps:

Step 1 Download the patch from http://www.Cisco.com and publish the patch in an FTP server.

Step 2 Install the patch as follows:

root@localhost# patch ftp-url

where ftp-url is the FTP location and the name of the strong crypto patch.

Common Name (eg, your name or your server's hostname) [r2d2-186.cisco.com]:

Email Address []:kjchen@cisco.com

Using configuration from /usr/local/nam/defaults/openssl.cnf

-----BEGIN CERTIFICATE-----

MIIDlTCCAv6gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCVVMx

CzAJBgNVBAgTAkNBMREwDwYDVQQHEwhTYW4gSm9zZTEcMBoGA1UEChMTQ2lzY28g

U3lzdGVtcywgSW5jLjEMMAoGA1UECxMDTkFNMRswGQYDVQQDExJyMmQyLTE4Ni5j

aXNjby5jb20xHDAaBgkqhkiG9w0BCQEWDW5hbUBjaXNjby5jb20wHhcNMDQwMjI0

MDAwNDAxWhcNMDUwMjIzMDAwNDAxWjCBlDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT

AkNBMREwDwYDVQQHEwhTYW4gSm9zZTEcMBoGA1UEChMTQ2lzY28gU3lzdGVtcywg

SW5jLjEMMAoGA1UECxMDTkFNMRswGQYDVQQDExJyMmQyLTE4Ni5jaXNjby5jb20x

HDAaBgkqhkiG9w0BCQEWDW5hbUBjaXNjby5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD

gY0AMIGJAoGBAMDrGqhw2Kt8fimI+b11bk6+z9nTEQago1Qfoo8DehBLZ10eoJ/0

YAWlCqx3fnW3csSmGiHj6aEjJhm0WO5GvJRbzzbxeSPadDv7IdbIhXTLtPklW11g

byhUzvi5R8UFGSmerbbnc7qkTDXQdrQ2vETAfxK4oysq+HF55qVjY2KpAgMBAAGj

gfQwgfEwHQYDVR0OBBYEFEjcj4+vFJmLAo1NjnO9MYE/Hn9eMIHBBgNVHSMEgbkw

gbaAFEjcj4+vFJmLAo1NjnO9MYE/Hn9eoYGapIGXMIGUMQswCQYDVQQGEwJVUzEL

MAkGA1UECBMCQ0ExETAPBgNVBAcTCFNhbiBKb3NlMRwwGgYDVQQKExNDaXNjbyBT

eXN0ZW1zLCBJbmMuMQwwCgYDVQQLEwNOQU0xGzAZBgNVBAMTEnIyZDItMTg2LmNp

c2NvLmNvbTEcMBoGCSqGSIb3DQEJARYNbmFtQGNpc2NvLmNvbYIBADAMBgNVHRME

BTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBAHwBnz9OALHWkyK4qYTTbBno2MFbmI49

gU4IIpFSgWjoqdiXXGJs7c1q0dMPzdmDIG1TjmkLx2HC1+dVuq/2X4RrOFaoog/s

K9GmULi8OtgRkDhXJHT/gDfv+L7gQpQCCpq1TUFMVlzxzAHSsBGnlQ8oTysXScEJ

nSr0tR/OKB0t

-----END CERTIFICATE-----

Disabling HTTP secure server...

Successfully disabled HTTP secure server.

Enabling HTTP secure server...

Successfully enabled HTTP secure server.

root@localhost#

To obtain a certificate from a certification authority, you need to first generate a certificate-signing request and then submit the certificate-signing request manually to the certification authority. After obtaining the certificate from the certification authority, install the certificate.

Installing Certificates

To install a certificate from a certification authority, follow these steps:

Step 1 Generate a certificate signing request as follows:

root@localhost# ip http secure generate certificate-request

A certificate-signing request already exists. Generating a

new one will invalidate the existing one and any certificates

already generated from the existing request. Do you still

want to generate a new one? [y/n] y

5244 semi-random bytes loaded

Generating RSA private key, 1024 bit long modulus

.......................................++++++

.++++++

e is 65537 (0x10001)

Using configuration from /usr/local/nam/defaults/openssl.cnf

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.